wifi: b43: enforce bounds check on firmware key index in b43_rx()

The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, allowing an out-of-bounds read.

Make the B43_WARN_ON check enforcing by dropping the frame when the
firmware returns an invalid key index.

Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Michael Büsch <m@bues.ch>
Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
index 7651b1bdb59266127989f2f80bfab7b182e52234..f0b082596637ff271e7632ecd4322ec2784bc246 100644 (file)
--- a/drivers/net/wireless/broadcom/b43/xmit.c
+++ b/drivers/net/wireless/broadcom/b43/xmit.c
@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
                 * key index, but the ucode passed it slightly different.
                 */
                keyidx = b43_kidx_to_raw(dev, keyidx);
-               B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
+               if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
+                       goto drop;
 
                if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
                        wlhdr_len = ieee80211_hdrlen(fctl);